EDPB Releases Guidelines on Territorial Scope of GDPR
The European Data Protection Board (EDPB) has released its guidelines on the territorial scope of the General Data Protection Regulation (GDPR) for public consultation. The guidelines seek to clarify the application of GDPR to controllers and processors that are not located in the European Union (EU) and the scope of the privacy laws extraterritoriality. Here is a brief overview of some of the key concepts that are in the 23 page version for public consultation:
Article 3(2) – Targeting the EU:
Determining whether GDPR applies based on the targeting criterion involves the application of a two part test regarding first, whether the data subject is in the EU, and second, whether it relates to the offering of goods/services or monitoring behavior in the EU.
Who is a data subject in the Union?
The determining factor is the location of the individual. The nationality or legal status of a person in the EU does not limit or restrict GDPR’s territorial scope. For example, GDPR would apply to data collected by a city mapping app used by tourists when they are in London, Paris or Rome regardless of their nationality.
However, there must be some targeting of individuals in the EU in order for it to apply. For example, GDPR does not apply to a U.S. citizen that downloads a news app offered by a U.S. company that is exclusively directed at the U.S. market while that individual is traveling through Europe.
Additionally, processing of personal data of EU citizens that takes place in a third country (without targeting in the EU) does not trigger the application of GDPR under this section.
What is offering of goods or services?
The question is whether the conduct by the controller or processor demonstrates its intention to offer goods or services to a data subject located in the EU. Furthermore, no payment is necessary by an individual in order to be considered the target of an offer of goods or services. For further information, the guidelines point to Recital 23 and applicable jurisdictional case law by the CJEU.
The guidance reaffirms that the mere accessibility of a website in the EU does not itself provide sufficient evidence to demonstrate an intent to offer goods or services to data subjects in the EU.
When is monitoring of data subjects’ behavior triggered?
Behavioral monitoring includes tracking a person on the internet, as well as other tracking through network or technology involving personal data processing. For example, it would include processing of data through wearable technology and other smart devices.
For there to be monitoring, the controller must have a specific purpose in mind for the collection and reuse of the behavior data. Any online collection or analysis is not automatically monitoring. The EDPB provides a lit of some particular monitoring activities in the guidance, including behavioral advertising, geolocation for marketing, online tracking through cookies, personalized online diet services, CCTV, market surveys, and health monitoring.
Article 3(1) – Establishment in the EU:
Is there an establishment?
The CJEU has ruled in the past that the notion of establishment extends to any real and effective activity, even when minimal, exercised through stable arrangements. In some instances, this may be as little as a single employee or agent if there is a sufficient degree of stability in the relationship. However, the concept of an establishment does not extend so far as to say that a non-EU entity can have an establishment in the European Union simply because their website is accessible in the EU.
Is the processing of personal data carried out in the context of the activities of an establishment?
The GDPR is not limited to the processing of the relevant EU establishment itself for Article 3(1). There must be some connection to the establishment in the processing. However, the existence of any presence in the EU with remote links to data processing of a non-EU entity may not be sufficient to cause the application of GDPR.
Even if the local establishment is not itself taking part in the data processing outside the EU, it may be “inextricably linked” and thus GDPR apply. For example, if there is an office in the EU for marketing campaigns, that would be sufficient. However, having a website that is available in German, French and Spanish without any other presence in the EU is provided as an example of insufficient under Article 3(1).
What happens if a controller in the EU uses a processor not subject to GDPR?
The controller may use a processor located outside of the European Union and not subject to GDPR but they must establish a contract with the processor establishing the requirements of Article 28(3). They must also meet the obligations of GDPR Article 28(1) to only use a processor providing sufficient guarantees to implement processing in a manner that protects the rights of data subjects. The processor will therefore become indirectly subject to some obligations of GDPR by way of the contract.
What happens if GDPR does not apply to the controller but it does apply to the processor?
The new guidance lays out the sections of the GDPR that apply to the processor. These include:
– Article 28 (except 28(1))
– Article 29 and 32(4)
– Article 30(2), if applicable
– Articles 31-33
– Articles 37-38, if applicable
– Chapter V on transferring personal data to third countries or international organizations.
Article 3(3) – Public International Law:
This section applies to EU diplomatic missions and consular posts, laid out in the Vienna Convention on Diplomatic Relations of 1961 and Vienna Convention on Consular Relations of 1963.
Other Blog Posts on GDPR Enforcment:
More DPAs Issuing GDPR Fines and Warnings
EDPB Releases Comments on DPIA Requirements under Article 35.4
Dutch Question Microsoft Over Office Data Telemetry Collection Violations under GDPR
Austria Issues First GDPR Fine
Privacy Complaints Up in France after GDPR
ICO Threatens Max GDPR Fine to AggregateIQ
ULD DPA Issues Ban on Data Processing Under GDPR
Data Privacy Complaints Double in UK under GDPR
German DPA Circulates GDPR Compliance Survey
Contact Clarip for Help with Your Privacy Program
The Clarip privacy software and team are available to help improve privacy practices at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If you are working towards GDPR compliance, we can help through our modular GDPR software. Whether you are starting the process with GDPR data mapping automation, need privacy impact assessment software, or looking to meet ePrivacy requirements with cookie management software, Clarip can help strengthen your privacy program.
If CCPA compliance in 2020 is on your radar, ask us about our California Consumer Privacy Act software. Improve efficiency of responses to data subject access requests with our DSAR software, or provide the right to opt out of the sale of personal information with our consent management platform.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.